lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: eric at arcticbears.com (Eric Paynter)
Subject: House approves spyware legislation

On Wed, October 6, 2004 8:18 pm, Bankim J. Tejani said:
> 1) How can you prove what the setting was before?  It's one thing for
> you to know what it was, but another to prove it in a court of law.
> Otherwise it's your word versus theirs.

This is easy because the (perhaps soon to be) illegal action is usually
automated and repeatable. Simply bring in the police to begin an
investigation (usually happens before anybody is arrested, so the bad site
will still be up). The police can set their browser, go to the website,
note that the browser setting was changed (or whatever breach of the law),
and record their actions and the results as evidence. This is enough to
get a warrant which leads to...


> 2) How can you find out who exactly was the person or company that took
> this action?  You're talking about a massive time undertaking to trace
> the packet data through every router between you and the accused.

It's not hard to find the physical location of a web server. Take the
warrant, go to the location, and seize all of their equipment. Now you
have a web server with an application that is performing an illegal
action.


> 3) Was their machine used by some hacker?  This, unfortunately (or
> fortunately, depending on how you see it), has been used in court and
> proved to be a successful defense.

That is a weak defense, and more often, especially with corporations, they
are being held accountable for what their systems do. It is their
responsibility to protect their systems. Phrases like "due diligence" come
to mind...


> 4) What was the motive for changing your computer specifically?

To gather profiling information for marketing purposes. To put their
marketing "in your face" so you see it more. In short, the motive is to
earn more money.


> 5) What type of crime is appropriate?  Is it theft?  trespassing?
> moving your plant from your front yard to your back yard?

As the bill says, the crime is that of altering the funcion of computer
without authorization. This has nothing to do with theft or trespassing.
It is a different type of crime, but it is (or perhaps soon will be) a
crime nonetheless.


> 6) What is an appropriate sentence?  The five minutes you lost changing
> it back paid at your current salary?  A fine?   jail time?

If the bill is passed into law, there will be suggested minimum and
maximum punishments, as with all laws. What's the point of this statement?


> Few organizations have successfully prosecuted under any form of cyber
> law.  The most notable so far has been the RIAA, whose cases were never
> tested in court, but used to torque people into paying fines rather than
> facing legal bills that would bankrupt them.

What? You are saying that organizations are not successful prosecuting and
you site as an example an organization that is having such high success
that people settle out of court rather than fight?

I'm not suggesting that this bill is the greatest thing, but we do need to
update the laws and there are ways to reduce cyber crimes. We can start
trying today, maybe take a few tries to get it right. Or we can not start
today, in which case, it will take longer to get it right. I suggest we
start today.

-Eric


Powered by blists - more mailing lists